Apache Releases Security Update for HTTP Server
DESCRIPTION:
The Apache Software Foundation has released Apache HTTP Server 2.4.52.
Reference:https://downloads.apache.org/httpd/Announcement2.4.html
CVE-2021-44790 (CVSS score: 9.8- CRITICAL) -A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).
The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
CVE-2021-44224 (CVSS score: 8.2- HIGH) – A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or,
for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).
This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
IMPACT:
Apache HTTP Server 2.4.52 version addresses vulnerabilities CVE-2021-44790 and CVE-2021-44224 one of which may allow a remote attacker to take control of an affected system.
RECOMMENDATIONS:
Updates are available. Please see the references or vendor advisory for more information.
REFERENCES:
http://httpd.apache.org/security/vulnerabilities_24.html
https://downloads.apache.org/httpd/Announcement2.4.html
https://nvd.nist.gov/vuln/detail/CVE-2021-44790
https://nvd.nist.gov/vuln/detail/CVE-2021-44224
Published: 23 December 2021, 13:41:18 BST
Recommended Posts
Press release April 2023: Situational Security Alerts from CIRT
21 Apr 2023 - Articles, English articles, News, Notice, Security Advisories & Alerts
Security Best Practices
29 Mar 2023 - Security Advisories & Alerts
Subscribe here
MEMBER OF:
